TrueFioBack to Home
← Back to TrueFio

Data Processing Agreement

Last updated: 19 March 2026

This DPA forms part of the Terms of Service between TrueFio and the Customer.

This Data Processing Agreement ("DPA") is entered into between the entity or individual who has accepted the TrueFio Terms of Service ("Customer," "you," or "Data Controller") and the entity operating TrueFio ("TrueFio," "we," "us," or "Data Processor"). This DPA governs the processing of personal data by TrueFio on behalf of the Customer in connection with the provision of the TrueFio platform and related services (the "Services").

This DPA supplements and forms an integral part of the Terms of Service ("Agreement"). In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of personal data. This DPA is effective as of the date the Customer accepts the Agreement or begins using the Services, whichever occurs first.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalised terms not defined herein shall have the meanings given to them in the Agreement.

"Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of personal data under this DPA, including but not limited to: (a) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and the Data Protection Act 2018; (c) India's Digital Personal Data Protection Act, 2023 ("DPDPA"); (d) the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); and (e) any other applicable national, state, or regional data protection legislation.

"Data Controller" means the Customer, who determines the purposes and means of the processing of personal data. The Customer is the Data Controller with respect to all Customer Data processed through the Services.

"Data Processor" means TrueFio, which processes personal data on behalf of the Data Controller in connection with providing the Services.

"Customer Data" means all personal data that is processed by TrueFio on behalf of the Customer in the course of providing the Services. This includes, but is not limited to: end-customer order data (names, addresses, phone numbers, email addresses), advertising campaign data, product data, shipment tracking data, payment transaction references, and any other data the Customer submits to or connects with the Platform through integrations.

"Data Subject" means an identified or identifiable natural person whose personal data is processed under this DPA. In the context of TrueFio, Data Subjects primarily include the Customer's end-customers (buyers of the Customer's D2C products) and the Customer's team members who have accounts on the Platform.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data transmitted, stored, or otherwise processed by TrueFio.

"Sub-Processor" means any third party engaged by TrueFio to process Customer Data on behalf of the Customer in connection with the Services.

2. Scope of Processing

TrueFio processes Customer Data solely for the purpose of providing the Services as described in the Agreement. The nature, purpose, duration, and categories of processing are as follows:

2.1 Purpose of Processing

To provide the TrueFio profit analytics platform, including: (a) ingesting and matching order data from e-commerce platforms with advertising spend data from ad platforms; (b) tracking shipment and delivery status through logistics integrations; (c) calculating true return on ad spend (TRUE ROAS) after accounting for returns (RTO), COD failures, shipping costs, payment gateway fees, and cost of goods sold; (d) generating AI-powered recommendations for ad spend optimisation; (e) providing campaign-level, product-level, and pincode-level analytics; (f) enabling attribution tracking through fbclid, gclid, and UTM parameters; and (g) sending transactional emails and alerts.

2.2 Categories of Data Subjects

(a) Customer's end-customers (purchasers of the Customer's products); (b) Customer's team members and authorised users; (c) for agency customers: the agency's client brand personnel.

2.3 Categories of Personal Data

End-customer names, email addresses, phone numbers, shipping and billing addresses, order details (products purchased, order values, payment methods), shipment tracking identifiers, delivery status, return/RTO status, IP addresses (for attribution), browser identifiers (fbclid, gclid), and UTM parameters. For team members: names, email addresses, roles, and activity logs.

2.4 Duration of Processing

TrueFio processes Customer Data for the duration of the Agreement, subject to the data retention limits specified in the Customer's subscription plan (ranging from 7-day retention on the Free plan to 90-day or longer retention on paid plans). Upon termination of the Agreement, processing shall cease in accordance with Section 9 of this DPA.

3. Customer's Obligations as Data Controller

The Customer warrants and undertakes that:

  • The Customer has obtained all necessary consents, authorisations, and legal bases required under Applicable Data Protection Law to collect the personal data of its end-customers and to transmit such data to TrueFio for processing as described in this DPA.
  • The Customer's privacy policy accurately discloses the use of TrueFio as a data processor and describes the types of data processed and the purposes for which it is processed.
  • The Customer shall not submit to TrueFio any special categories of personal data (e.g., health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or data concerning sexual orientation) unless explicitly agreed in writing.
  • The Customer is responsible for the accuracy, quality, and legality of the Customer Data and the means by which the Customer acquired the data.
  • The Customer shall promptly inform TrueFio of any data protection impact assessments or consultations with supervisory authorities that relate to TrueFio's processing activities under this DPA.
  • When connecting third-party platforms (Meta Ads, Google Ads, Shopify, etc.) to TrueFio, the Customer confirms that such connections are authorised under the Customer's agreements with those third parties and comply with their respective data sharing policies.

4. TrueFio Obligations as Data Processor

TrueFio shall:

  • Process Customer Data only on documented instructions from the Customer, including with respect to transfers of personal data to a third country, unless required to do so by applicable law to which TrueFio is subject. In such a case, TrueFio shall inform the Customer of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.
  • Ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 6 of this DPA.
  • Not engage another processor (Sub-Processor) without prior specific or general written authorisation of the Customer, as described in Section 5 of this DPA.
  • Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subject rights.
  • Assist the Customer in ensuring compliance with obligations relating to security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to TrueFio.
  • At the choice of the Customer, delete or return all Customer Data to the Customer after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the personal data.
  • Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, subject to the terms of Section 11.
  • Immediately inform the Customer if, in TrueFio's opinion, an instruction from the Customer infringes Applicable Data Protection Law.
  • Not process Customer Data for any purpose other than providing the Services, and specifically shall not sell Customer Data, use it for profiling or targeted advertising, or share it with third parties except as expressly permitted under this DPA.

5. Sub-Processors

The Customer provides general authorisation for TrueFio to engage the Sub-Processors listed below. TrueFio shall inform the Customer of any intended changes concerning the addition or replacement of Sub-Processors, giving the Customer the opportunity to object to such changes. If the Customer objects on reasonable grounds relating to data protection, and TrueFio cannot reasonably accommodate the objection, either party may terminate the affected Services.

Sub-ProcessorPurposeData ProcessedLocation
Cloud Hosting ProviderInfrastructure hosting — servers, databases, file storage, and compute resources for the PlatformAll Customer Data stored and processed by the PlatformIndia / Singapore (primary), with CDN edge nodes globally
RazorpayPayment processing — subscription billing, plan upgrades, refunds, and invoice generationCustomer billing information: name, email, phone, GST number, payment method details (processed by Razorpay; card numbers are never stored by TrueFio)India
Resend / SendGridTransactional email delivery — account verification, password resets, alert notifications, billing receipts, and team invitation emailsRecipient email addresses, names, and email content (which may contain order summaries or alert details)United States
Meta PlatformsAdvertising data retrieval — as directed by the Customer, TrueFio connects to Meta Ads API to retrieve campaign performance data, ad spend, impressions, clicks, and conversion dataAd account data, campaign metrics, fbclid identifiers for attribution matching. Data flows from Meta to TrueFio as authorised by the CustomerUnited States / Ireland
GoogleAdvertising data retrieval and authentication — as directed by the Customer, TrueFio connects to Google Ads API to retrieve campaign data. Google OAuth is used for optional sign-inAd account data, campaign metrics, gclid identifiers for attribution matching, Google account profile (email, name) for OAuth authenticationUnited States
ShopifyE-commerce data retrieval — as directed by the Customer, TrueFio connects to Shopify APIs to retrieve order data, product data, and customer information for ROAS calculationOrder details (customer names, addresses, phone numbers, email addresses, products ordered, order values, payment status), product catalogue dataUnited States / Canada
AI Providers (Anthropic / OpenAI / Google)AI-powered analytics and recommendations — anonymised and aggregated data is sent to AI providers to generate campaign optimisation recommendations, anomaly detection, and natural-language insightsAnonymised, aggregated metrics only — campaign performance summaries, spend patterns, RTO rates, product category trends. No personally identifiable information (names, emails, phone numbers, addresses) is sent to AI providersUnited States

TrueFio shall impose data protection obligations on each Sub-Processor that are no less protective than those set out in this DPA. TrueFio shall remain fully liable to the Customer for the performance of each Sub-Processor's obligations. The current list of Sub-Processors is maintained at this page and will be updated at least 30 days before any new Sub-Processor begins processing Customer Data.

6. Data Security Measures

TrueFio implements and maintains the following technical and organisational security measures to protect Customer Data against unauthorised or unlawful processing, accidental loss, destruction, or damage:

6.1 Encryption

  • All data in transit is encrypted using TLS 1.2 or higher (HTTPS enforced on all endpoints)
  • All data at rest is encrypted using AES-256 encryption at the storage layer
  • Database backups are encrypted and stored in geographically separate locations
  • Sensitive tokens and API keys are encrypted with application-level encryption before database storage
  • Authentication tokens use cryptographically signed JWTs with short expiration times

6.2 Access Controls

  • Role-based access control (RBAC) enforced at the application layer with granular permissions
  • Multi-tenant isolation through row-level security (RLS) policies — each Customer can only access their own data
  • Mandatory multi-factor authentication (MFA) for all internal TrueFio team members accessing production systems
  • Principle of least privilege applied to all internal access — team members only have access to systems required for their role
  • OAuth tokens for third-party integrations are scoped to the minimum permissions required and stored encrypted
  • Session management with secure, httpOnly, SameSite=Strict cookies and automatic session expiration

6.3 Audit Logging

  • Comprehensive audit logs of all data access, modifications, and administrative actions
  • Immutable audit trail for security-relevant events (login attempts, permission changes, data exports, API key usage)
  • Log retention for a minimum of 12 months for security and compliance purposes
  • Anomaly detection on access patterns to identify potential unauthorised access

6.4 Infrastructure Security

  • Production infrastructure hosted in SOC 2 Type II certified data centres
  • Network segmentation isolating database servers from public-facing services
  • Regular security patching and vulnerability assessments
  • DDoS protection and Web Application Firewall (WAF) on all public endpoints
  • Automated database backups with point-in-time recovery capability

6.5 Application Security

  • Parameterised database queries to prevent SQL injection (no string interpolation in queries)
  • Input validation and sanitisation on all user-supplied data
  • Content Security Policy (CSP) headers to prevent cross-site scripting (XSS)
  • Rate limiting on authentication endpoints and API routes to prevent brute-force attacks
  • Secure password hashing using bcrypt with appropriate work factors

7. Data Breach Notification

7.1 TrueFio shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Data. The notification shall be made to the email address associated with the Customer's account and, where available, through the Platform's notification system.

7.2 The breach notification shall include, to the extent reasonably available at the time of notification:

  • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned
  • The name and contact details of the TrueFio data protection point of contact from whom more information can be obtained
  • A description of the likely consequences of the Personal Data Breach
  • A description of the measures taken or proposed to be taken by TrueFio to address the Personal Data Breach, including measures to mitigate its possible adverse effects

7.3 Where it is not possible to provide all information at the time of the initial notification, TrueFio shall provide information in phases without further undue delay as it becomes available.

7.4 TrueFio shall co-operate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of any Personal Data Breach. TrueFio shall preserve and provide to the Customer all relevant records, logs, and evidence relating to the breach.

7.5 The notification of or response to a Personal Data Breach by TrueFio under this section shall not be construed as an acknowledgement by TrueFio of any fault or liability with respect to the Personal Data Breach.

8. Data Subject Requests

8.1 TrueFio shall, to the extent legally permitted, promptly notify the Customer if TrueFio receives a request from a Data Subject to exercise any of their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, data portability, and objection) in relation to Customer Data ("Data Subject Request").

8.2 TrueFio shall not respond directly to a Data Subject Request unless authorised to do so by the Customer or required to do so by Applicable Data Protection Law. If TrueFio is legally required to respond, TrueFio shall, to the extent legally permitted, inform the Customer of that legal requirement before responding.

8.3 TrueFio shall provide the Customer with reasonable technical and organisational assistance to fulfil Data Subject Requests, taking into account the nature of the processing. This includes providing the Customer with self-service tools within the Platform to:

  • Export Customer Data in a structured, commonly used, machine-readable format (CSV, JSON)
  • Delete specific end-customer records from the Platform
  • Modify or correct end-customer data within the Platform
  • Restrict processing of specific data by disabling integrations or data sync for particular records

8.4 To the extent that the Customer is unable to fulfil a Data Subject Request independently through the Platform, TrueFio shall provide additional assistance upon request. TrueFio may charge a reasonable fee for such assistance where the requests are manifestly unfounded, excessive, or require disproportionate effort, provided that TrueFio notifies the Customer of such fee in advance.

9. Data Retention and Deletion

9.1 During the term of the Agreement, TrueFio retains Customer Data in accordance with the data retention limits specified in the Customer's subscription plan. Data beyond the retention period is automatically purged from active systems. Retention periods by plan are:

  • Free plan: 7 days
  • Starter plan: 30 days
  • Growth plan: 90 days
  • Pro / Enterprise plans: As specified in the plan terms, up to 365 days

9.2 Upon termination or expiration of the Agreement, TrueFio shall:

  • Provide the Customer with a 30-day period following termination to export their Customer Data through the Platform's export functionality
  • After the 30-day export period, delete all Customer Data from active production systems within 30 additional days (60 days total from termination)
  • Remove Customer Data from backup systems within 90 days following deletion from production systems, as part of the normal backup rotation cycle

9.3 TrueFio may retain limited data after the deletion period only where required by applicable law (e.g., financial transaction records required for tax compliance under Indian GST regulations, which must be retained for a minimum period as prescribed by law). Such retained data shall be restricted from further processing and shall be deleted as soon as the legal retention obligation expires.

9.4 Upon the Customer's written request, TrueFio shall provide written confirmation that Customer Data has been deleted in accordance with this section.

10. International Data Transfers

10.1 TrueFio's primary infrastructure is located in India. However, certain Sub-Processors (as listed in Section 5) may process Customer Data in jurisdictions outside India, including the United States, the European Union, Canada, and Singapore.

10.2 Where Customer Data is transferred to a jurisdiction that does not provide an adequate level of data protection as determined by applicable authorities, TrueFio shall ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission (for GDPR-covered transfers)
  • The UK International Data Transfer Addendum (for UK GDPR-covered transfers)
  • Data processing agreements with Sub-Processors that include equivalent protections to those in this DPA
  • Verification that Sub-Processors maintain appropriate security certifications (e.g., SOC 2, ISO 27001)

10.3 TrueFio shall inform the Customer upon request of the specific safeguards applied to any particular international transfer of Customer Data.

10.4 With respect to India's DPDPA, TrueFio shall comply with any restrictions on cross-border transfers as notified by the Central Government of India, and shall not transfer Customer Data to any jurisdiction that has been specifically restricted under the DPDPA.

11. Audit Rights

11.1 TrueFio shall make available to the Customer, upon reasonable request, all information necessary to demonstrate compliance with the obligations set out in this DPA and Applicable Data Protection Law.

11.2 The Customer (or an independent third-party auditor appointed by the Customer and approved by TrueFio, such approval not to be unreasonably withheld) may conduct an audit of TrueFio's processing activities and security measures, subject to the following conditions:

  • The Customer shall provide at least 30 days' written notice of any audit request
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt TrueFio's operations
  • The Customer may conduct no more than one audit per calendar year, unless required by a supervisory authority or following a Personal Data Breach
  • The auditor shall execute a confidentiality agreement before the audit commences
  • The scope of the audit shall be limited to TrueFio's processing of Customer Data under this DPA
  • TrueFio shall co-operate with the audit and provide reasonable access to relevant systems, facilities, and personnel

11.3 As an alternative to a physical audit, TrueFio may satisfy the Customer's audit requirements by providing: (a) a current SOC 2 Type II report or equivalent certification from an independent auditor; (b) responses to a reasonable data protection questionnaire; or (c) evidence of compliance with applicable security standards. The Customer shall consider such alternatives in good faith before requesting an on-site audit.

11.4 The costs of any audit shall be borne by the Customer, unless the audit reveals a material non-compliance by TrueFio with this DPA, in which case TrueFio shall bear the reasonable costs of the audit.

12. Term and Termination

12.1 This DPA shall commence on the effective date of the Agreement and shall continue in force for as long as TrueFio processes Customer Data on behalf of the Customer.

12.2 This DPA shall automatically terminate upon termination or expiration of the Agreement, subject to TrueFio's obligations regarding data deletion as set out in Section 9, which shall survive termination.

12.3 Either party may terminate this DPA immediately upon written notice if:

  • The other party commits a material breach of this DPA and fails to remedy such breach within 30 days of receiving written notice of the breach
  • A supervisory authority orders the cessation of data processing activities covered by this DPA
  • The other party enters into insolvency, bankruptcy, liquidation, or similar proceedings

12.4 Sections 6 (Data Security), 7 (Breach Notification), 9 (Data Retention and Deletion), 10 (International Transfers), 11 (Audit Rights), and 13 (Liability) shall survive termination of this DPA and shall continue in force for as long as TrueFio retains any Customer Data.

13. Liability

13.1 Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except that nothing in this DPA or the Agreement shall limit or exclude either party's liability for:

  • Breaches of obligations that cannot be limited under Applicable Data Protection Law
  • Wilful misconduct or gross negligence in the handling of Customer Data
  • TrueFio's processing of Customer Data outside of or contrary to the Customer's lawful instructions, except where required by applicable law
  • Fines or penalties imposed by supervisory authorities to the extent caused by a party's breach of its obligations under this DPA

13.2 TrueFio shall indemnify and hold harmless the Customer from and against any losses, damages, costs, and expenses (including reasonable legal fees) arising directly from TrueFio's breach of this DPA or failure to comply with its obligations as Data Processor under Applicable Data Protection Law, provided that:

  • The Customer notifies TrueFio promptly of any claim
  • The Customer provides reasonable co-operation in the defence of any claim
  • TrueFio is given reasonable control over the defence and settlement of any claim (provided that TrueFio shall not settle any claim that imposes obligations on the Customer without the Customer's prior written consent)

13.3 The Customer shall indemnify and hold harmless TrueFio from and against any losses, damages, costs, and expenses arising from: (a) the Customer's breach of its obligations under Section 3 of this DPA; (b) any claim by a Data Subject or supervisory authority arising from the Customer's failure to comply with Applicable Data Protection Law in its capacity as Data Controller; or (c) any instructions given by the Customer that cause TrueFio to infringe Applicable Data Protection Law, provided that TrueFio informed the Customer of such infringement as required by Section 4.

13.4 Where both parties are responsible for damage caused by processing that infringes Applicable Data Protection Law, each party shall be liable for the entirety of the damage in order to ensure effective compensation of the Data Subject. Where one party has paid full compensation to the Data Subject, that party shall be entitled to claim back from the other party that part of the compensation corresponding to the other party's share of responsibility for the damage.

14. General Provisions

14.1 Governing Law. This DPA shall be governed by and construed in accordance with the laws governing the Agreement, without regard to conflict of law principles. For Customers based in India, this DPA shall be governed by the laws of India, including the DPDPA and the Information Technology Act, 2000. For Customers based in the EU or UK, the GDPR or UK GDPR (as applicable) shall apply to this DPA in addition to the governing law of the Agreement.

14.2 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be replaced with a valid and enforceable provision that achieves, to the greatest extent possible, the original intent of the parties.

14.3 Amendments. This DPA may only be amended in writing, signed by both parties, or by TrueFio providing an updated DPA to the Customer with at least 30 days' notice before the changes take effect. The Customer's continued use of the Services after the notice period constitutes acceptance of the updated DPA.

14.4 Entire Agreement. This DPA, together with the Agreement and any annexes hereto, constitutes the complete and exclusive statement of the mutual understanding of the parties with respect to the subject matter hereof and supersedes all prior written and oral agreements and communications regarding such subject matter.

Contact

For questions regarding this Data Processing Agreement, to exercise audit rights, or to report a data protection concern, please contact:

Data Protection Contact: privacy@truefio.com

General Support: support@truefio.com

Platform: truefio.com

Related Policies

Privacy PolicyTerms of ServiceCookie PolicyRefund Policy
© 2026 TrueFio. All rights reserved.